You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Chris Rose <of...@gmail.com> on 2004/12/30 18:03:24 UTC
Storing /etc in a repository
I'm thinking that I should start being a more responsible admin of my
server -- I've run into situations before where I've made a change
that has broken something and I have wished like hell that I could A)
remember what it was and B) restore it to a working state.
So, in that vein, I have a subversion repository that I'd like to be
able to keep my entire /etc tree in. Or at least as much of it as is
reasonable to do so.
How can I go about this, though? I can check it in, but that's going
to A) be prohibitively large if there are unnecessary binary files in
there and B) I don't know how to convert /etc to a working copy
without deleting it all -- and since the repository is on the same
system (with the apache server, etc...) I'm not sure if this is even
possible.
I hope that someone else here has done something like this. Should I
maybe set up a secondary repo on another system for this? I don't
really have one to work with at the moment, so I'm not sure I can, but
if it's the only way I'll have to do it. I'd prefer a one-machine
(different physical drive, so hardware redundancy == taken care of)
solution.
--
Chris R.
======
Not to be taken literally, internally, or seriously.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by "Robert P. J. Day" <rp...@mindspring.com>.
On Wed, 5 Jan 2005, Chris Jensen wrote:
> > > Actually, shadow, group, passwd, etc... are not being vc-ed, for that
> > > very reason. They're not complex files, and I don't work heavily with
> > > them -- so why bother?
> >
> >
> > It really depends what you are doing, and what are yours requirements:
> > I would be very, very unhappy if some bit fungus eats those files, and
> > I had to re-create them from scratch (especially /etc/group).
>
> I don't keep any files with passwords in my repository for security reasons.
> In our environment, this means only ignoring shadow. group and passwd don't
> contain passwords (nor would they in most setups), so they should be safe to
> version.
> I'm pretty sure (though have not tested) that you can recreate
> shadow automatically from passwd should you have a catastrophic
> failure - of course you'll lose your passwords, but given it's a
> server I don't think there's more than 2 or 3 passwords in shadow
> (all other accounts are service accounts).
you'd also lose all password aging/expiration information, but that's
not as critical.
rday
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Chris Jensen <cj...@edex.com.au>.
>> Actually, shadow, group, passwd, etc... are not being vc-ed, for that
>>very reason. They're not complex files, and I don't work heavily with
>>them -- so why bother?
>
>
> It really depends what you are doing, and what are yours requirements:
> I would be very, very unhappy if some bit fungus eats those files, and
> I had to re-create them from scratch (especially /etc/group).
I don't keep any files with passwords in my repository for security
reasons. In our environment, this means only ignoring shadow. group and
passwd don't contain passwords (nor would they in most setups), so they
should be safe to version.
I'm pretty sure (though have not tested) that you can recreate shadow
automatically from passwd should you have a catastrophic failure - of
course you'll lose your passwords, but given it's a server I don't think
there's more than 2 or 3 passwords in shadow (all other accounts are
service accounts).
As for how to get /etc into the repository, I did it as per the in place
import instructions, but added things non-recursively so as to ensure I
got all the files that should be ignored
eg
# svn st | grep \?
? passwd
? shadow
? apache
...
# svn add -N apache passwd
# svn propedit svn:ignore . (add shadow to the list)
As well as passwords, you probably also want to avoid files that change
constantly, /etc/mtab and /etc/adjtime are two examples of this, they
can be recreated by programs and any version in the repository will
probably be out of date.
In order to make sure the repository is kept up to date, I wrote a cron
job that runs "svn st -u" daily and sends any output to administrators
so as to remind them to commit their changes.
--
---------------------------------------------------------------------
Chris Jensen cjensen@edex.com.au
Educational Experience (Australia)
Postal Address: PO Box 860, Newcastle NSW 2300
Freecall: 1-800-025 270 International: +61-2-4923 8222
Fax: (02) 4942 1991 International: +61-2-4942 1991
Visit our online Toy store! http://www.toysandmore.com.au/
---------------------------------------------------------------------
Re: Storing /etc in a repository
Posted by Ross Mark <ro...@controllingedge.com.au>.
Clemens Schwaighofer wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 19.01.2005 22:41, Jani Averbach wrote:
>
>
>
>>I am using a single file where is listed owners and permissions
>>and that file is also versioned by SVN. Much more elegant solution
>>would be to use ASVN
>><http://svn.collab.net//repos/svn/trunk/contrib/client-side/asvn>
>>
>>
>
>thing is, I took a look into it, and from its working way, its more pre
>1.0 release. I kills symlinks and stores them in properties, for example.
>
>
>
Yes it was written pre 1.0 and I haven't had time to devise a clean
upgrade path. If you are using a post 1.0 client just delete the
contents of the updatedirsymlinks function or comment it out of the
recorddirinfo. asvn should then ignore symlinks.
>So I am thinking about writing small hook scripts perhaps ..
>
>lg, clemens
>
>
>
Ross
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Clemens Schwaighofer <cs...@tequila.co.jp>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 19.01.2005 22:41, Jani Averbach wrote:
> I am using a single file where is listed owners and permissions
> and that file is also versioned by SVN. Much more elegant solution
> would be to use ASVN
> <http://svn.collab.net//repos/svn/trunk/contrib/client-side/asvn>
thing is, I took a look into it, and from its working way, its more pre
1.0 release. I kills symlinks and stores them in properties, for example.
So I am thinking about writing small hook scripts perhaps ..
lg, clemens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB7mcRjBz/yQjBxz8RAnU5AKDXwcGQ9Yq+AAJv0A4wYB1YgDYdxwCfSL5V
NLAFzNj6x923iEP85tsDy4M=
=gg+k
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Julien TOUCHE <ju...@lycos.com>.
Jani Averbach a écrit :
>> Hwo did you solve the file rights or ownership thing?
>>
>
>
> I am using a single file where is listed owners and permissions and
> that file is also versioned by SVN. Much more elegant solution would
> be to use ASVN
> <http://svn.collab.net//repos/svn/trunk/contrib/client-side/asvn>
>
do you support extended attributes from some linux fs or ffs/ufs/ufs2 ?
(like acl)
asvn seems not.
Regards
Julien
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Jani Averbach <ja...@jaa.iki.fi>.
On 2005-01-19 17:24+0900, Clemens Schwaighofer wrote:
> On 12/31/2004 06:03 AM, Jani Averbach wrote:
>
> > In fact I version every single file which is not machine generated,
> > even if they are empty or contains no actual configurations. This had
> > saved my day at least once, when ext3 htree index bug ate my whole
> > /etc/pam.d directory, and rendered the system unusable. The whole
> > recovery process was a single 'svn up'...
>
> Hwo did you solve the file rights or ownership thing?
>
I am using a single file where is listed owners and permissions
and that file is also versioned by SVN. Much more elegant solution
would be to use ASVN
<http://svn.collab.net//repos/svn/trunk/contrib/client-side/asvn>
I started this before there was any ASVN, and I haven't needed so
often to restore files, so this single file based system has worked so
far well enough.
BR, Jani
--
Jani Averbach
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Clemens Schwaighofer <cs...@tequila.co.jp>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/31/2004 06:03 AM, Jani Averbach wrote:
> In fact I version every single file which is not machine generated,
> even if they are empty or contains no actual configurations. This had
> saved my day at least once, when ext3 htree index bug ate my whole
> /etc/pam.d directory, and rendered the system unusable. The whole
> recovery process was a single 'svn up'...
Hwo did you solve the file rights or ownership thing?
eg some files (shadow) are of course 0600, but the roots umask is 0000
so the file checked otu will be 0666 (if its lost).
or what about different ownser, groups? (might be for a chroot running
named).
- --
[ Clemens Schwaighofer -----=====:::::~ ]
[ TBWA\ && TEQUILA\ Japan IT Group ]
[ 6-17-2 Ginza Chuo-ku, Tokyo 104-0061, JAPAN ]
[ Tel: +81-(0)3-3545-7703 Fax: +81-(0)3-3545-7343 ]
[ http://www.tequila.co.jp http://www.tbwajapan.co.jp ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB7hk+jBz/yQjBxz8RAk2pAJwIYs9EyyYQuq2WJ569lNTYHdbGjQCgsgIW
cKe7G/TJHBWPM/aArts25ZU=
=QbgG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Jani Averbach <ja...@jaa.iki.fi>.
On 2004-12-30 13:27-0700, Chris Rose wrote:
> Actually, shadow, group, passwd, etc... are not being vc-ed, for that
> very reason. They're not complex files, and I don't work heavily with
> them -- so why bother?
It really depends what you are doing, and what are yours requirements:
I would be very, very unhappy if some bit fungus eats those files, and
I had to re-create them from scratch (especially /etc/group).
In fact I version every single file which is not machine generated,
even if they are empty or contains no actual configurations. This had
saved my day at least once, when ext3 htree index bug ate my whole
/etc/pam.d directory, and rendered the system unusable. The whole
recovery process was a single 'svn up'...
But of course YMMV.
BR, Jani
--
Jani Averbach
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Chris Rose <of...@gmail.com>.
Actually, shadow, group, passwd, etc... are not being vc-ed, for that
very reason. They're not complex files, and I don't work heavily with
them -- so why bother?
On Thu, 30 Dec 2004 11:34:45 -0700, Jani Averbach <ja...@jaa.iki.fi> wrote:
> On 2004-12-30 11:03-0700, Chris Rose wrote:
> > I'm thinking that I should start being a more responsible admin of my
> > server -- I've run into situations before where I've made a change
> > that has broken something and I have wished like hell that I could A)
> > remember what it was and B) restore it to a working state.
> >
> > So, in that vein, I have a subversion repository that I'd like to be
> > able to keep my entire /etc tree in. Or at least as much of it as is
> > reasonable to do so.
>
> One thing to keep in mind is that subversion keeps a pristine copy of
> your file in the .svn directories. So depending of your root's umask,
> it might be possible that your users could read e.g. your /etc/shadow via
> /etc/.svn/text-base/shadow.svn-base if you don't take care of
> permissions of .svn directories.
>
> find /etc -name .svn -a -type d -exec chmod 0700 {} \;
>
> should do the trick.
>
> There is also asvn
> <http://svn.collab.net/repos/svn/trunk/contrib/client-side/asvn> which
> is meant to used to version whole file system (special files,
> permissions, (links)).
>
> Secondly, if you are doing merge operations with your /etc, and you
> are using ra_dav, keep in mind that the issue #1905,
> <http://subversion.tigris.org/issues/show_bug.cgi?id=1905> prevents
> you from merging targets with special characters. This is fixed with
> 1.1.2. /etc/gconf/gconf.xml.defaults/ contains lots of these kind of
> problematic files.
>
> BR, Jani
>
> --
> Jani Averbach
>
--
Chris R.
======
Not to be taken literally, internally, or seriously.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Jani Averbach <ja...@jaa.iki.fi>.
On 2004-12-30 11:03-0700, Chris Rose wrote:
> I'm thinking that I should start being a more responsible admin of my
> server -- I've run into situations before where I've made a change
> that has broken something and I have wished like hell that I could A)
> remember what it was and B) restore it to a working state.
>
> So, in that vein, I have a subversion repository that I'd like to be
> able to keep my entire /etc tree in. Or at least as much of it as is
> reasonable to do so.
One thing to keep in mind is that subversion keeps a pristine copy of
your file in the .svn directories. So depending of your root's umask,
it might be possible that your users could read e.g. your /etc/shadow via
/etc/.svn/text-base/shadow.svn-base if you don't take care of
permissions of .svn directories.
find /etc -name .svn -a -type d -exec chmod 0700 {} \;
should do the trick.
There is also asvn
<http://svn.collab.net/repos/svn/trunk/contrib/client-side/asvn> which
is meant to used to version whole file system (special files,
permissions, (links)).
Secondly, if you are doing merge operations with your /etc, and you
are using ra_dav, keep in mind that the issue #1905,
<http://subversion.tigris.org/issues/show_bug.cgi?id=1905> prevents
you from merging targets with special characters. This is fixed with
1.1.2. /etc/gconf/gconf.xml.defaults/ contains lots of these kind of
problematic files.
BR, Jani
--
Jani Averbach
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Chris Rose <of...@gmail.com>.
Alrighty, I think I can manage that. Is there a way to 'pre-ignore'
files on a non-working copy without setting global-ignore? More to
the point, can someone who has also done this perhaps offer some
recommendations as to what I should be ignoring?
On Thu, 30 Dec 2004 18:08:46 -0000, Max Bowsher <ma...@ukf.net> wrote:
> Chris Rose wrote:
> > I'm thinking that I should start being a more responsible admin of my
> > server -- I've run into situations before where I've made a change
> > that has broken something and I have wished like hell that I could A)
> > remember what it was and B) restore it to a working state.
> >
> > So, in that vein, I have a subversion repository that I'd like to be
> > able to keep my entire /etc tree in. Or at least as much of it as is
> > reasonable to do so.
> >
> > How can I go about this, though? I can check it in, but that's going
> > to A) be prohibitively large if there are unnecessary binary files in
> > there
>
> Check in what is appropriate, and svn:ignore what is not.
>
> > and B) I don't know how to convert /etc to a working copy
> > without deleting it all
>
> http://subversion.tigris.org/project_faq.html#in-place-import
>
> > -- and since the repository is on the same
> > system (with the apache server, etc...) I'm not sure if this is even
> > possible.
> >
> > I hope that someone else here has done something like this. Should I
> > maybe set up a secondary repo on another system for this? I don't
> > really have one to work with at the moment, so I'm not sure I can, but
> > if it's the only way I'll have to do it. I'd prefer a one-machine
> > (different physical drive, so hardware redundancy == taken care of)
> > solution.
>
> Put the repository wherever makes most sense for you. It really doesn't
> matter.
>
> Max.
>
>
--
Chris R.
======
Not to be taken literally, internally, or seriously.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Storing /etc in a repository
Posted by Max Bowsher <ma...@ukf.net>.
Chris Rose wrote:
> I'm thinking that I should start being a more responsible admin of my
> server -- I've run into situations before where I've made a change
> that has broken something and I have wished like hell that I could A)
> remember what it was and B) restore it to a working state.
>
> So, in that vein, I have a subversion repository that I'd like to be
> able to keep my entire /etc tree in. Or at least as much of it as is
> reasonable to do so.
>
> How can I go about this, though? I can check it in, but that's going
> to A) be prohibitively large if there are unnecessary binary files in
> there
Check in what is appropriate, and svn:ignore what is not.
> and B) I don't know how to convert /etc to a working copy
> without deleting it all
http://subversion.tigris.org/project_faq.html#in-place-import
> -- and since the repository is on the same
> system (with the apache server, etc...) I'm not sure if this is even
> possible.
>
> I hope that someone else here has done something like this. Should I
> maybe set up a secondary repo on another system for this? I don't
> really have one to work with at the moment, so I'm not sure I can, but
> if it's the only way I'll have to do it. I'd prefer a one-machine
> (different physical drive, so hardware redundancy == taken care of)
> solution.
Put the repository wherever makes most sense for you. It really doesn't
matter.
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org